Just now I did a new test in a secure HBase with Kerberos, and get the same result. The user will also lose its create permission after the active HMaster restart.
It seems that this problem is only about authorization. Maybe it is not relevant to hbase authentication configuration 'kerberos' or 'simple'. 2014-07-03 9:54 GMT+08:00 Ted Yu <[email protected]>: > Have you read http://hbase.apache.org/book.html#d3314e6312 ? > > For secure hbase deployments I worked with, kerberos has been the norm. > > Secure hbase experts may have some insight. > > Cheers > > > On Wed, Jul 2, 2014 at 6:47 PM, Weichen YE <[email protected]> > wrote: > > > Hi, Ted, > > > > Thank you for you reply. I`m using hbase-0.94.2-cdh4.2.0. > > I have two HMasters for HA. Once the active HMaster restart or > > failover, my user will lose its permission to create new table. It seems > > that, by the shell command "grant 'username','RWCXA' ", users get only > some > > kind of "temporary permission" for "C" and "A" in global scope. > > I know if the user is set as "hbase.superuser" in hbase-site.xml. > it > > will get a permanent permission in global scope. But what I want is just > to > > give a user the permission to create a new table, so I just use '"grant > > 'user', 'RWC'" to do this. It is really strange that user lose its create > > permission after the active HMaster restart. > > > > btw, this is a part of my hbase-site.xml: > > > > <property> > > <name>hbase.security.authentication</name> > > <value>simple</value> > > </property> > > <property> > > <name>hbase.security.authorization</name> > > <value>true</value> > > </property> > > <property> > > <name>hbase.coprocessor.master.classes</name> > > > <value>org.apache.hadoop.hbase.security.access.AccessController</value> > > </property> > > <property> > > <name>hbase.coprocessor.region.classes</name> > > > > > > > <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController</value> > > </property> > > <property> > > <name>hbase.rpc.engine</name> > > <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> > > </property> > > > > > > > > > > > > > > 2014-07-03 0:07 GMT+08:00 Ted Yu <[email protected]>: > > > > > What specific hbase release are you using ? > > > Was there only one HMaster before the restart ? > > > > > > Cheers > > > > > > > > > On Tue, Jul 1, 2014 at 10:57 PM, Weichen YE <[email protected]> > > > wrote: > > > > > > > Hi, all, > > > > > > > > I have been using HBase 0.94 . Now I use the following hbase shell > > > command > > > > to give the user "Tom" the create and admin permission in global > scope: > > > > > > > > hbase(main):001:0> grant 'Tom','RWCXA' > > > > > > > > After that, the user 'Tom' have the permission to create new table, > we > > > > create a new table 'Tom-Table'. now in "_acl_" table we can see the > > > > following two rows > > > > > > > > ROW COLUMN+CELL > > > > > > > > > > > > Tom-Table column=l:Tom, > > > timestamp=1404279643504, > > > > value=RWXCA > > > > > > > > _acl_ column=l:Tom, > > > > timestamp=1404279584901, value=RWCXA > > > > > > > > Now the problem is, after I restart the HMaster, the user 'Tom' lose > > the > > > > ability to create a new table. The error log shows:"ERROR: > > > > org.apache.hadoop.hbase.security.AccessDeniedException: > > > > org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient > > > > permissions for user 'Tom' (global, action=CREATE)" > > > > > > > > So, it seems that user "Tom" can not keep the create permission in > > global > > > > scope after HMaster restarted. Anyone knows how to fix this? Or is > > there > > > > another way to give a user permanent create permission in global > scope? > > > > > > > > > >
